Owasp & Asp.Net

OWASP & ASP.NET

OWASP TOP 10

• Injection• Cross-Site Scripting (XSS)• Broken Authentication & Session Management• Insecure Direct Object References• Cross-Site Request Forgery• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict Url Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards

Injection

• SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query

• Untrusted data:– Integrity is not verifiable– Intent may be malicious– Manual user input– Implicit user input– Constructed user input

OWASP MatrixThread Agents

Attack Vectors

Security Weakness Technical Impacts

Business Impact

Exploitability EASY

Prevalence COMMON

Detectability AVERAGE

Impact SEVERE

Anyone who can send data to system

Attacker sends simple

text-based attacks that exploit the

syntax of the interpreter.

Very prevalent particularly in legacy code, often found in SQL, LDAP queries and OS

commands, program arguments.

Can result in data loss or corruption,

lack of accountability

or denial of access.

Business value of effected

data.

CROSS SITE SCRIPTING (XSS)

CROSS SITE SCRIPTING

• Most commonly exploited vulnerability• WhiteHat Security report: 65% of sites with XSS

vulnerability• Sending data to a browser without proper

validation and escaping• Allows executing scripts in the victim’s browser– Hijack user sessions– Redirect to malicious sites

• Expose an attack vector from database

XSS MatrixThread Agents

Attack Vectors


Business Impact

Exploitability AVERAGE

Prevalence WIDESPREAD

Detectability EASY

Impact MODERATE

Anyone who can send untrusted

data to system

Attacker sends simple

text-based attacks that exploit the

syntax of the interpreter.

Most prevalent web application security flaw. 3

types: 1: Stored, 2: Reflected, 3: Dom Based

Attacker can execute script

in victim’s browser. Session

hijacking, inserting hostile

content, using malware etc.


data.

EncodingEncoding Method Example/Pattern

HtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a>

HtmlAttributeEncode <hr noshade size=[Untrusted input]>

JavaScriptEncode <script type="text/javascript">…[Untrusted input]…</script>

UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted-input]">Click Here!</a>

XmlEncode <xml_tag>[Untrusted input]</xml_tag>

XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>

XSS Prevention Rule #0

• Never Insert Untrusted Data Except in Allowed Locations

<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script  inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name <style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS


• HTML Escape Before Inserting Untrusted Data into HTML Element Content

<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body><div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>any other normal HTML elements

• & --> &• < --> <• > --> >• " --> "• ' --> '• / --> /

XSS Prevention Rule #2• Attribute Escape Before Inserting Untrusted Data into HTML Common

Attributes

<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute


• JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler


• CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values

<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</style> property value


• URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

<a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >


• Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way

• AntiXSS

BROKEN AUTHENTICATION & SESSION MANAGEMENT

Defining Broken Authentication

• Authentication and session management functions not implemented correctly

• Allow attackers to compromise passwords, keys, session tokens

Broken Authentication MatrixThread Agents

Attack Vectors


Business Impact


Prevalence COMMON


Impact SEVERE

External attackers,

internal users trying to

steal accounts

from others

Attackers uses leaks or flaws in the

auth or session

management functions

Custom authentication and session management schemes.

Hard to find flaws.

Allow some or all

accounts to be attacked.


data.

Anatomy of Broken Authentication

• Session IDs in the url– Cookieless session state

• Can still occur without IDs in the url (via executed XSS flaws)

• HttpOnly Cookies• Use ASP.NET Membership & Role Providers

Session Fixation

• Do not accept session identifiers from GET / POST variables• Use identity confirmation• Store session identifiers in cookies• Regenerate SID on each request• Accept only server-generated SIDs• Logout function• Time-out old SIDs• Destroy session if Referrer is suspicious• Verify that additional information is consistent

– User Agent

INSECURE DIRECT OBJECT REFERENCE

Defining insecure direct object reference

• Data being unintentionally disclosed• Exposing a reference to an internal object, file,

directory or database key

IDOR MatrixThread Agents

Attack Vectors


Business Impact


Prevalence COMMON


Impact SEVERE

Users of the system,

having partial access to

system data.

Simple parameter

modification

Applications use actual name or key value of an object.

Authorization is not verified.

Compromise all data that

can be referenced.


data.

CROSS SITE REQUEST FORGERY

Defining Cross Site Request Forgery

• Tricking the user into inadvertently issuing an HTTP request to a site– Confused deputy problem

• Sends:– Session cookie– Authentication information

• Victim needs to be logged on

CSRF MatrixThread Agents

Attack Vectors


Business Impact


Prevalence COMMON


Impact SEVERE

Anyone who can trick your

users submitting a request to your site

Creates forged HTTP request via image tags,

XSS

Browsers send credentials like authentication cookies

automatically, attackers can create malicious web pages

that generate forged requests.

Attackers can change any

data the victim is

allowed to change


data.

CSRF Prevention

• Prevention measured that don’t work:– Using a secret cookie– Only accepting POST requests– Multi-step transactions– URL Rewriting

CSRF Prevention

• Synchronizer Token Pattern• ViewState– ViewStateUserKey = Session.SessionID

• Double submit cookies– Header– Hidden form value

• .NET CSRF Guard

INSECURE CRYPTOGRAPHIC STORAGE

Defining Insecure Cyptographic Storage

• Protection of sensitive data

Thread Agents

Attack Vectors


Business Impact

Exploitability DIFFICULT

Prevalence UNCOMMON

Detectability DIFFICULT

Impact SEVERE

Users of the system

Attackers don’t break the crypto. They find keys, get clear text copies of

data.

Common flaw is not encrypting data. Unsafe key generation,

storage of keys, weak algorithms.

Compromises that all data should have

been encrypted.


data.

Questions

• Is the right data encrypted?• Are the keys protected?• Is the source data exposed by other

interfaces?• Is the hashing week?

Encryption, hashing, salting

• Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’

• Hashing: Creating a one way digest that cannot be converted back.

• Salting: Adding a random string to input text before hashing to add unpredictability to the process.

MD5, SHA, DES, AES

• MD5: Common, not collision resistant.• SHA: Secure Has Algorithm, most popular, not

most secure)• DES: Data Encryption Standard, insecure.• AES: Advanced Encryption Standart, common.

Symmetric / Asymmetric Encryption

• Symmetric Encryption– Uses same key to both encrypt and decrypt.– Same algorithm can be applied to reverse

encryption• Asymmetric Encryption– Different keys for encryption / decryption

Key Management

• Keep keys unique• Protect the keys• Always store keys away from data• Keys should have a defined lifecycle

Cryptographic Cheat Sheet

• Only store sensitive data you need• Only use strong crypto algorithms (AES, RSA)• Ensure that random numbers are

cryptographically strong• Only use widely accepted implementations of

cryptographic algorithms• Store the hashed and salted value of passwords• Ensure that any secret key is protected from

unauthorized access

FAILURE TO RESTRICT URL ACCESS

Defining failure to restrict url access

• Users are able to access a resource they should not because appropriate controls do not exist

Matrix

Thread Agents

Attack Vectors


Business Impact

Exploitability EASY

Prevalence UNCOMMON


Impact MODERATE

Anyone with network

access can send the

application a request

Attacker (already

authorized), changes to

url to a privileged

page.

Misconfigured urls, improper code checks

Allows attackers to

access unauthorized functionality


data.

Suggestions

• Leverage roles in preference to individual users

• Apply principal permissions– [PrincipalPermission] attribute

• Protect web services and async calls• Leverage IIS 7 Integrated pipeline• Do not roll your own security model

Technology

Owasp & Asp.Net